static void HMARK_ip4_save(const void *ip, const struct xt_entry_target *target) { const struct xt_hmark_info *info = (const struct xt_hmark_info *)target->data; int ret; if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK)) { ret = xtables_ipmask_to_cidr(&info->src_mask.in); printf(" --hmark-src-prefix %d", ret); } if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK)) { ret = xtables_ipmask_to_cidr(&info->dst_mask.in); printf(" --hmark-dst-prefix %d", ret); } HMARK_save(info); }
static int hmark_tg_check(const struct xt_tgchk_param *par) { const struct xt_hmark_info *info = par->targinfo; if (!info->hmodulus) { pr_info("xt_HMARK: hash modulus can't be zero\n"); return -EINVAL; } if (info->proto_mask && (info->flags & XT_HMARK_FLAG(XT_HMARK_METHOD_L3))) { pr_info("xt_HMARK: proto mask must be zero with L3 mode\n"); return -EINVAL; } if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK) && (info->flags & (XT_HMARK_FLAG(XT_HMARK_SPORT_MASK) | XT_HMARK_FLAG(XT_HMARK_DPORT_MASK)))) { pr_info("xt_HMARK: spi-mask and port-mask can't be combined\n"); return -EINVAL; } if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI) && (info->flags & (XT_HMARK_FLAG(XT_HMARK_SPORT) | XT_HMARK_FLAG(XT_HMARK_DPORT)))) { pr_info("xt_HMARK: spi-set and port-set can't be combined\n"); return -EINVAL; } return 0; }
static void HMARK_ip4_print(const void *ip, const struct xt_entry_target *target, int numeric) { const struct xt_hmark_info *info = (const struct xt_hmark_info *)target->data; printf(" HMARK "); if (info->flags & XT_HMARK_FLAG(XT_HMARK_MODULUS)) printf("mod %u ", info->hmodulus); if (info->flags & XT_HMARK_FLAG(XT_HMARK_OFFSET)) printf("+ 0x%x ", info->hoffset); if (info->flags & XT_HMARK_FLAG(XT_HMARK_CT)) printf("ct, "); if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK)) printf("src-prefix %u ", xtables_ipmask_to_cidr(&info->src_mask.in)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK)) printf("dst-prefix %u ", xtables_ipmask_to_cidr(&info->dst_mask.in)); HMARK_print(info); }
static void HMARK_print(const struct xt_hmark_info *info) { if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT_MASK)) printf("sport-mask 0x%x ", htons(info->port_mask.p16.src)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT_MASK)) printf("dport-mask 0x%x ", htons(info->port_mask.p16.dst)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK)) printf("spi-mask 0x%x ", htonl(info->port_mask.v32)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT)) printf("sport 0x%x ", htons(info->port_set.p16.src)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT)) printf("dport 0x%x ", htons(info->port_set.p16.dst)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI)) printf("spi 0x%x ", htonl(info->port_set.v32)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_PROTO_MASK)) printf("proto-mask 0x%x ", info->proto_mask); if (info->flags & XT_HMARK_FLAG(XT_HMARK_RND)) printf("rnd 0x%x ", info->hashrnd); }
static int hmark_pkt_set_htuple_ipv6(const struct sk_buff *skb, struct hmark_tuple *t, const struct xt_hmark_info *info) { struct ipv6hdr *ip6, _ip6; int flag = IP6T_FH_F_AUTH; unsigned int nhoff = 0; u16 fragoff = 0; int nexthdr; ip6 = (struct ipv6hdr *) (skb->data + skb_network_offset(skb)); nexthdr = ipv6_find_hdr(skb, &nhoff, -1, &fragoff, &flag); if (nexthdr < 0) return 0; /* No need to check for icmp errors on fragments */ if ((flag & IP6T_FH_F_FRAG) || (nexthdr != IPPROTO_ICMPV6)) goto noicmp; /* Use inner header in case of ICMP errors */ if (get_inner6_hdr(skb, &nhoff)) { ip6 = skb_header_pointer(skb, nhoff, sizeof(_ip6), &_ip6); if (ip6 == NULL) return -1; /* If AH present, use SPI like in ESP. */ flag = IP6T_FH_F_AUTH; nexthdr = ipv6_find_hdr(skb, &nhoff, -1, &fragoff, &flag); if (nexthdr < 0) return -1; } noicmp: t->src = hmark_addr6_mask(ip6->saddr.s6_addr32, info->src_mask.all); t->dst = hmark_addr6_mask(ip6->daddr.s6_addr32, info->dst_mask.all); if (info->flags & XT_HMARK_FLAG(XT_HMARK_METHOD_L3)) return 0; t->proto = nexthdr; if (t->proto == IPPROTO_ICMPV6) return 0; if (flag & IP6T_FH_F_FRAG) return 0; hmark_set_tuple_ports(skb, nhoff, t, info); return 0; }
static unsigned int hmark_tg_v4(struct sk_buff *skb, const struct xt_action_param *par) { const struct xt_hmark_info *info = par->targinfo; struct hmark_tuple t; memset(&t, 0, sizeof(struct hmark_tuple)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_CT)) { if (hmark_ct_set_htuple(skb, &t, info) < 0) return XT_CONTINUE; } else { if (hmark_pkt_set_htuple_ipv4(skb, &t, info) < 0) return XT_CONTINUE; } skb->mark = hmark_hash(&t, info); return XT_CONTINUE; }
static int hmark_pkt_set_htuple_ipv4(const struct sk_buff *skb, struct hmark_tuple *t, const struct xt_hmark_info *info) { struct iphdr *ip, _ip; int nhoff = skb_network_offset(skb); ip = (struct iphdr *) (skb->data + nhoff); if (ip->protocol == IPPROTO_ICMP) { /* Use inner header in case of ICMP errors */ if (get_inner_hdr(skb, ip->ihl * 4, &nhoff)) { ip = skb_header_pointer(skb, nhoff, sizeof(_ip), &_ip); if (ip == NULL) return -1; } } t->src = (__force u32) ip->saddr; t->dst = (__force u32) ip->daddr; t->src &= info->src_mask.ip; t->dst &= info->dst_mask.ip; if (info->flags & XT_HMARK_FLAG(XT_HMARK_METHOD_L3)) return 0; t->proto = ip->protocol; /* ICMP has no ports, skip */ if (t->proto == IPPROTO_ICMP) return 0; /* follow-up fragments don't contain ports, skip all fragments */ if (ip->frag_off & htons(IP_MF | IP_OFFSET)) return 0; hmark_set_tuple_ports(skb, (ip->ihl * 4) + nhoff, t, info); return 0; }
static int hmark_ct_set_htuple(const struct sk_buff *skb, struct hmark_tuple *t, const struct xt_hmark_info *info) { #if IS_ENABLED(CONFIG_NF_CONNTRACK) enum ip_conntrack_info ctinfo; struct nf_conn *ct = nf_ct_get(skb, &ctinfo); struct nf_conntrack_tuple *otuple; struct nf_conntrack_tuple *rtuple; if (ct == NULL || nf_ct_is_untracked(ct)) return -1; otuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple; rtuple = &ct->tuplehash[IP_CT_DIR_REPLY].tuple; t->src = hmark_addr_mask(otuple->src.l3num, otuple->src.u3.all, info->src_mask.all); t->dst = hmark_addr_mask(otuple->src.l3num, rtuple->src.u3.all, info->dst_mask.all); if (info->flags & XT_HMARK_FLAG(XT_HMARK_METHOD_L3)) return 0; t->proto = nf_ct_protonum(ct); if (t->proto != IPPROTO_ICMP) { t->uports.p16.src = otuple->src.u.all; t->uports.p16.dst = rtuple->src.u.all; t->uports.v32 = (t->uports.v32 & info->port_mask.v32) | info->port_set.v32; if (t->uports.p16.dst < t->uports.p16.src) swap(t->uports.p16.dst, t->uports.p16.src); } return 0; #else return -1; #endif }
static int hmark_parse(const char *type, size_t len, struct xt_hmark_info *info, unsigned int *xflags) { if (strncasecmp(type, "ct", len) == 0) { info->flags |= XT_HMARK_FLAG(XT_HMARK_CT); *xflags |= (1 << O_HMARK_CT); } else if (strncasecmp(type, "src", len) == 0) { memset(&info->src_mask, 0xff, sizeof(info->src_mask)); info->flags |= XT_HMARK_FLAG(XT_HMARK_SADDR_MASK); *xflags |= (1 << O_HMARK_SADDR_MASK); } else if (strncasecmp(type, "dst", len) == 0) { memset(&info->dst_mask, 0xff, sizeof(info->dst_mask)); info->flags |= XT_HMARK_FLAG(XT_HMARK_DADDR_MASK); *xflags |= (1 << O_HMARK_DADDR_MASK); } else if (strncasecmp(type, "sport", len) == 0) { memset(&info->port_mask.p16.src, 0xff, sizeof(info->port_mask.p16.src)); info->flags |= XT_HMARK_FLAG(XT_HMARK_SPORT_MASK); *xflags |= (1 << O_HMARK_SPORT_MASK); } else if (strncasecmp(type, "dport", len) == 0) { memset(&info->port_mask.p16.dst, 0xff, sizeof(info->port_mask.p16.dst)); info->flags |= XT_HMARK_FLAG(XT_HMARK_DPORT_MASK); *xflags |= (1 << O_HMARK_DPORT_MASK); } else if (strncasecmp(type, "proto", len) == 0) { memset(&info->proto_mask, 0xff, sizeof(info->proto_mask)); info->flags |= XT_HMARK_FLAG(XT_HMARK_PROTO_MASK); *xflags |= (1 << O_HMARK_PROTO_MASK); } else if (strncasecmp(type, "spi", len) == 0) { memset(&info->port_mask.v32, 0xff, sizeof(info->port_mask.v32)); info->flags |= XT_HMARK_FLAG(XT_HMARK_SPI_MASK); *xflags |= (1 << O_HMARK_SPI_MASK); } else return 0; return 1; }
static void HMARK_save(const struct xt_hmark_info *info) { if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT_MASK)) printf(" --hmark-sport-mask 0x%04x", htons(info->port_mask.p16.src)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT_MASK)) printf(" --hmark-dport-mask 0x%04x", htons(info->port_mask.p16.dst)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK)) printf(" --hmark-spi-mask 0x%08x", htonl(info->port_mask.v32)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT)) printf(" --hmark-sport 0x%04x", htons(info->port_set.p16.src)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT)) printf(" --hmark-dport 0x%04x", htons(info->port_set.p16.dst)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI)) printf(" --hmark-spi 0x%08x", htonl(info->port_set.v32)); if (info->flags & XT_HMARK_FLAG(XT_HMARK_PROTO_MASK)) printf(" --hmark-proto-mask 0x%02x", info->proto_mask); if (info->flags & XT_HMARK_FLAG(XT_HMARK_RND)) printf(" --hmark-rnd 0x%08x", info->hashrnd); if (info->flags & XT_HMARK_FLAG(XT_HMARK_MODULUS)) printf(" --hmark-mod %u", info->hmodulus); if (info->flags & XT_HMARK_FLAG(XT_HMARK_OFFSET)) printf(" --hmark-offset %u", info->hoffset); if (info->flags & XT_HMARK_FLAG(XT_HMARK_CT)) printf(" --hmark-tuple ct"); }
static void HMARK_parse(struct xt_option_call *cb, int plen) { struct xt_hmark_info *info = cb->data; xtables_option_parse(cb); switch (cb->entry->id) { case O_HMARK_TYPE: hmark_parse_type(cb); break; case O_HMARK_SADDR_MASK: info->flags |= XT_HMARK_FLAG(XT_HMARK_SADDR_MASK); break; case O_HMARK_DADDR_MASK: info->flags |= XT_HMARK_FLAG(XT_HMARK_DADDR_MASK); break; case O_HMARK_SPI: info->port_set.v32 = htonl(cb->val.u32); info->flags |= XT_HMARK_FLAG(XT_HMARK_SPI); break; case O_HMARK_SPORT: info->port_set.p16.src = htons(cb->val.u16); info->flags |= XT_HMARK_FLAG(XT_HMARK_SPORT); break; case O_HMARK_DPORT: info->port_set.p16.dst = htons(cb->val.u16); info->flags |= XT_HMARK_FLAG(XT_HMARK_DPORT); break; case O_HMARK_SPORT_MASK: info->port_mask.p16.src = htons(cb->val.u16); info->flags |= XT_HMARK_FLAG(XT_HMARK_SPORT_MASK); break; case O_HMARK_DPORT_MASK: info->port_mask.p16.dst = htons(cb->val.u16); info->flags |= XT_HMARK_FLAG(XT_HMARK_DPORT_MASK); break; case O_HMARK_SPI_MASK: info->port_mask.v32 = htonl(cb->val.u32); info->flags |= XT_HMARK_FLAG(XT_HMARK_SPI_MASK); break; case O_HMARK_PROTO_MASK: info->flags |= XT_HMARK_FLAG(XT_HMARK_PROTO_MASK); break; case O_HMARK_RND: info->flags |= XT_HMARK_FLAG(XT_HMARK_RND); break; case O_HMARK_MODULUS: info->flags |= XT_HMARK_FLAG(XT_HMARK_MODULUS); break; case O_HMARK_OFFSET: info->flags |= XT_HMARK_FLAG(XT_HMARK_OFFSET); break; case O_HMARK_CT: info->flags |= XT_HMARK_FLAG(XT_HMARK_CT); break; } cb->xflags |= (1 << cb->entry->id); }